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ABSTRACT.  Let  K = GF(q)  denote  the  finite  field  of  order 
q,  let  G denote  the  group  of  one-to-one  maps  (permutations)  of  K 
onto  K,  and  let  GL(n,K)  denote  the  group  of  n * n invertible  matrices 
over  K.  Each  triple  (a^a2»A)  e G*GxGL(n,K)  determines  a permuta- 
tion of  the  vector  space  Kn  of  n x 1 matrices  over  K as  follows: 
n (X)  = aj  ^Ac^Wf  x e Kn,  where  acts  on  X componentwise  and  A 
acts  on  X via  matrix  multiplication.  Two  triples  (at^a^A)  and 
(82'82,b^  are  called  equivalent  iff  they  determine  the  same  permuta- 
tion n-  This  paper  determines  for  a given  (a^c^/A)  those  equivalent 
(8^'82'b)"  It  turns  out  that  this  problem  is  equivalent  to  the 
following  one.  Given  A e GL(n,K)  find  all  g^,g2  e G such  that  the 
mapping  g^Ag2  ^ is  a linear  transformation  on  Kn.  The  solution  to 
this  latter  problem  is  seen  to  depend  on  whether  or  not  A has  all  row 
sums  equal  and  whether  or  not  A is  a monomial  matrix.  If  A is  monomial 
then  the  role  A plays  in  the  solution  depends  on  the  subgroup  of 
K*  = K -{0}  generated  by  the  set  Q of  all  quotients  of  nonzero  elements 
of  A,  and  if  A is  not  monomial  it  depends  on  the  subfield  of  K generated 
by  Q. 

The  equivalence  relation  defined  above  has  its  roots  in  algebraic 
cryptography  where  it  arises  from  a question  about  equivalent  crypto- 
systems based  on  Hill's  method  of  matrix  multiplication. 


♦Research  supported  in  part  by  O.N.R.  Contract  N00014-76-C-0130 , 
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Introduction . 


Let  K = GF (q)  denote  the  finite  field  of  order  q = pm,  p a 
prime,  let  G denote  the  group  of  one-to-one  maps  (permutations) 
of  K onto  K,  and  let  GL(n,K)  denote  the  group  of  n x n invertible 
matrices  over  K.  Associate  with  each  triple  (a^o^fA)  in  G * G * GL  ( n , 
a permutation  n of  the  vector  space  Kn  of  n * l matrices  over  K as 
follows : 


n (x)  = a ~ Aa  (X)  ; X e K , 

* 

where  a.  is  interpreted  as  acting  componentwise  on  a vector  X in  Kn 
and  A acts  on  X via  multiplication  X -*•  AX.  Two  triples  (ct^c^'A) 
and  (6^'62'b^  are  called  equivalent  iff  they  determine  the  same  per- 
mutation n of  Kn;  i.e.,  ct^  ^Ac^  = 3^  > in  which  case  we  write 

(a^  ,<*2  » A)  ~ ( 6 ^ , 62  » B)  • 

The  relation  ~ while  of  interest  in  its  own  rights  has  its  roots 
in  algebraic  cryptography  (see  below)  where  it  arises  from  a question 
concerning  equivalence  of  cryptosystems  based  on  Hill's  method  [3,4] 
of  matrix  multiplication. 

The  basic  problem  which  we  solve  in  this  paper  is  the  following: 
Given  (ot^,ot2»A)  find  all  eauivalent  (8^,32*B)  and  determine  their 
number.  This  problem  is  readily  reformulated  (see  the  next  section) 
into  the  following  problem.  Given  A e GL ( n , K ) find  all  (g^,g2)  pairs 
in  G x G such  that  g-jAg2  1 is  in  GL(n,K)  and  determine  their  number. 
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By  way  of  notation  we  use  K*  to  denote  the  multiplicative 
group  of  K.  We  use  a to  denote  the  n * 1 matrix  in  Kn  each  of 
whose  elements  equals  a i:  K.  Thus  for  example,  g(a)  = gTaT  for 
every  g c G. 

The  present  work  is  a generalization  of  previous  studies 
[1,2]  which  treated  the  case  where  and  6^  = B2  and 

emphasized  the  cryptological  aspects.  Many  of  the  ideas  and 
results  of  those  earlier  papers  are  applicable  to  the  present 
case.  The  most  striking  difference  between  the  two  cases  is 
in  the  changing  of  the  essential  role  of  the  matrix  A.  In 


[1]  and  [2]  the  important  features  of  A were  (i)  whether  or  not 
its  row  sums  were  all  equal  to  1 and  (ii)  the  field  and  group 
generated  by  its  nonzero  entries  a . In  the  present  case  the 
important  features  of  A are  (i)  whether  or  not  A has  equal  row 
sums  and  (ii)  the  field  and  group  generated  by  the  set  of  all 
quotients  of  nonzero  entries  from  A. 

The  reader  particularly  interested  in  cryptographic  inter- 
pretations should  consult  [1,  Sections  1 and  2].  The  essential 


idea  is  briefly  described  as  follows: 

Cryptographic  Interpretation.  Think  of  the  members  of  K 
as  being  the  letters  of  some  alphabet,  and  consider  "words"  as 
being  members  of  K°.  Then  each  (a^,cx2,A)  defines  a substitution 
system  which  replaces  a plain-text  word  X with  a cipher-text 
word  Y using  the  equation  Y = a^Aoi2  (X)  . This  is  essentially 
the  Hill  system.  In  practice  in  domain  K of  rx^  is  actually  a 
set  of  letters  with  no  algebraic  structure  and  the  mapping 
serves  to  carry  these  letters  to  the  finite  field  K whose 
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algebraic  structure  can  be  utilized.  For  this  reason  u2  is 
called  the  plain-text  alphabet  as  it  converts  plain-text 
letters  to  field  values  and  is  called  the  cipher-text 
alphabet  as  o^1  converts  field  values  to  cipher  letters. 
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The  Basic  Problem. 

We  now  assume  (a^,a2»A)  is  given  and  seek  those  equivalent 
- since  ^ai,cl2'A)  ~ (61/82»b)  iff  1Aoi2  = 8^  1B82 

it  follows  that  (a-^ct^A)  „ iff  g^Ag2  1 = B where 

"1  -1 

^1  = ®lal  an<^  g2  = ®2a2  * Hence  we  can  determine  all  triples 

equivalent  to  the  given  triple  by  the  following  procedure: 

(i)  Find  all  (g^/g^  e GxG  such  that  g1Ag2  1 is  linear; 
i.e.,  in  GL(n,K) 

(ii)  For  each  found  in  (i)  put  8^  = g^a^, 

b2  = g2a2  and  B = giAg2_1' 

The  collection  of  all  triples  (8^»82>B)  obtained  in  this  way  is 
precisely  the  set  of  triples  equivalent  to  (ot^»a2,A).  Moreover, 
the  number  of  equivalent  triples  clearly  equals  the  number  of  (g^,g9) 
pairs  determined  in  (i).  Thus,  we  can  focus  our  attention  on  the 
following  problem:  Given  A characterize  those  (g^»g2)  such  that 

g^Ag^  * is  linear  and  determine  their  number.  We  shall  now  attack 
this  latter  problem. 

For  convenience,  we  call  a permutation  h c G normalized 
if  h(0)  = 0 and  h ( 1 ) = 1.  We  let  H denote  the  subgroup  of  normalized 
permutations  and  define  the  normalization  operator  i p : G * H by 
tp(g)  = h where  h(x)  = (g(l)  = g(0))  *(g(x)  -g(0)).  Our  next  theorem 
allows  us  to  restrict  our  search  for  (g^»g2)  pairs  where  g^Ag2  * 
is  linear  to  normalized  pairs. 
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THEOREM  1.  For  each  A e GL(n,K),  let  GA  and  HA  be  the 

A A — — — 

sets  def ined  by 


(1) 

GA  = * *gl ,g2)  r G x G: 

is  linear  } 

(2) 

HA  = { (hj^  ,h2)  e H x H: 

hlAh21 

is  linear  } 

and  let  ip  : GxG-cHxHbe  the  componentwi se  normalizing  operator 
<Mg1^g2)  = (iMg^)  * Then  ip  maps  Ga  onto  Ha-  Moreover , 

if  A has  constant  row  sums , all  equal  to  r,  then  the  set  of 
( g 1 , g2 ) AH  ga  which  map  to  a given  (h^,h2)  e HA  i_s  precisely 
the  set  of  (g^,g2)  pairs  defined  by 


(3) 


g^x)  = m1h1(x)  + b2m1m21h1(r) 
g2  (x)  = m2h2  (x)  + b2  , 


where  m^n^,^  vary  over  K with  m.^  ^ 0 ' m2  ^ 0.  If.  A does  not 
have  constant  row  sums,  the  set  of  (g^,g2)  e GA  mapping  to  a 
given  (h^,h2)  t is  precisely  the  set  of  (g1,g2)  pairs  o_f 
the  form 


(4)  g1(x)  = n^h  (x)  , g2(x)  = m2h2(x), 

where  m^  and  m2  vary  over  the  nonzero  elements  of  K. 

Proof.  Let  (g^g^  e so  that  g^g”1  = B e GL(n,K). 
Since  g^A  = Bg2  it  is  easily  seen  from  the  fact  g-^Aa  = Bg2  (a) 
for  all  a e K that  (i)  g1  (0)  = Bg2 (0)  (ii)  a has  constant  row 
sums  iff  B has  constant  row  sums,  and  (iii)  if  A and  B do  not 
have  constant  row  sums  g^  ( 0 ) = g2(0)  = 0.  Putting  h.^  = iMg^, 
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i=l,2  we  note  that  for  X c 


K 


n 


(5) 


g . (X)  = mih (x)  + 

g. hT1 (X)  = m.X  + b. 

d 1 ii 

h. g. (X)  = m"1 (X-b. ) , 

i^i  l l 


where  nr  = gdl)  - g^(0),  = gdO).  It  follows  that 

h1Ah11(X)  = hig11g1Ag21g2h21  (X)  = ^g^Bg^^  (X)  = h^g11  (B(m2X+b2) 

(m2BX+Bb2~b1 ) = m.^m2BX;  hence  (h^,h2)  £ H^.  If  A has  unequal 

row  sums  we  note  that  b^  = g^(0)  = 0 implying  g^  has  the  form 

(4).  If  A has  all  row  sums  equal  to  r,  we  note  that  h^Ah^d)  = 

m^1m2B(l)  implies  h(r)  = m^ '*‘m2rR  v^iere  r0  is  the  row  sum  of  any 

row  of  B;  thus,  since  g^(0)  = Bg2(0)  we  see  that  b^  = rBb2  = 

m2^m^h(r)b2  showing  that  g^  and  g2  have  the  form  (3). 

Finally,  let  (h^,h2)  e i.e.,  h^Ah^  = C e GL(n,K), 

If  A has  constant  row  sums  r then  so  does  C and  h^(r)  = r^ ; 

thus  if  g^  and  g2  are  any  two  permutations  defined  by  (3)  then 

equations  (5)  are  valid  and  g^Ag^fX)  = g^h^  1h1Ah2 1h2g2 1 (X)  = 

glh11Ch2g21  (X)  = g^”1  (C  (m”1  (X-b2 ) ) ) = n^m^CX  - m1m2'LCb2  + = 

m-m^CX  - mm/hlrlb,  + b.  = nurTu^CX.  Thus  (g.,g_)  f G-  . A 
12  122  1 12  ^1  ^ 2 A 

similar  argument  is  valid  when  A does  not  have  constant  row  sums 
so  the  proof  is  complete. 

COROLLARY  1.1.  Let  A e GL (n , K) . Then 


(6) 


2 

q(q-l)  | H | ; if_  A has  constant  row  sums 
2 

(q-l)  | H. | ; otherwise. 

A — — — — — — . 
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COROLLARY  1.2.  Let  A f GL(n,K)  and  let  (h^l^)  r Hft.  If 
and  g2  are  defined  by  (3)  or  (4)  according  as  A does  or  does 
not  have  constant  row  sums,  then 


and 


h1Ah2'L  = (h-^a.j))  = h^  (A) 


gxAg  1 = m1m21h1 (A) . 


Proof.  Put  C = h.Ah-'*'.  We  need  only  show  that  C = (h,  (a 

i ^ ill 

Letting  U y , and  A ^ denote  respectively  the  jth  columns  of 

I (identity  matrix),  C and  A we  have  C.  = CU . = h,Ah~1u.  = 

3 3 12] 

h (AU.)  = h..  (A  . ) ; thus,  c..  = h..  (a  . . ) . 

1 3 1 3 13  1 13 

Since  it  is  now  clear  how  to  obtain  G.  sets  from  sets 

A A 

we  now  attack  the  problem  of  finding  given  A. 

Recall  that  A is  monomial  iff  A has  exactly  one  nonzero 
entry  in  each  row  and  column.  The  set  of  monomial  matrices 
denoted  by  M is  a subgroup  of  GL (n , K) . It  will  be  convenient 
to  treat  separately  the  case  A / M and  A e M. 


THEOREM  2.  Let  A e GL(n,K)  - M = M' , let  Q denote  the  sub- 
f ield  of  K generated  by  the  set  of  all  quotients  a/b  where 
a,b  are  nonzero  entries  in  A,  and  let  h ,h^  be  normalized 
permutations  of  K.  The  mapping  l^Al^  i^s  linear  if  and  only  if 
for  all  entries  a^  of  A,  for  all  x,y  e K and  for  all  c e Q 
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we  have 


(7)  h1(x+y)  = h1(x)+h1(y) 

(8 ) h^  (cx)  = (c)  h (x) 

(9)  hi(aijx)  = h^a.  ,)h2(x). 


Proof.  Suppose  first  that  h^  and  h satisfy  conditions  (7) 
and  (9)  of  the  Theorem.  Putting  C = h^  (A)  = (h^(a^))  we  have 
Ch  X = (Jc  h (x  ))  = ([h  (a  )h  (x  ))  = (£h  (a..X  ))  = 

^ • XJ  Z J X XJ  Z J X XJ  J 

v J -1 

(h^(^a^jXj))  = h^AX.  Thus  h^Ah2  = C is  linear. 

Now  suppose  h^Af^1  = C is  linear.  Then  h^A  = Ch2  where 

C = h. (A)  (by  COROLLARY  1.2).  Let  U.  and  U be  the  jth  and  kth 
r J K 

unit  vectors,  and  let  x,y  e K.  Then  h.A(xU.+yU,  ) = h.  (A) h0 (xU  . +yUD) 

1 3 K X Z J H 

so  that  h.  (a.  . x+b . , y ) =h1(a..)h(x)  +h1(b..)h_(y).  Taking 
1 lj  lk  1 13  2 1 lk  2 3 

y = 0 we  obtain  condition  (9) , and  using  this  condition  we  have 
further  that  h (a..)h  (x)  +h..(b..)h-(y)  = h (a  . . x)  +h  (b..y). 

XXJ^  J-  X J /L  I 1 J X X 3 

Since  some  row  of  A has  two  nonzero  entries  we  have  h(ax+by)  = 
h(ax)  + h(by)  for  a,b  / 0.  Take  x = a ''‘x1  and  y = b ^y'  to 
obtain  h^(x' +y' ) = h^ (x' ) + h^ ( y * ) so  condition  (7)  is  valid. 

We  complete  the  proof  by  showing  (7)  and  (9)  imply  (8) . Let 
c = a/b  denote  a quotient  of  two  nonzero  entries  a,b  from  A. 

From  (9)  we  have  h^axj/h^fa)  = h^ (bx) /h^ (b) ; hence,  putting 
x = y/b  we  obtain  h^ (cy)  = h^  (a) h^ (y) /h^ (b) . Taking  y=l  shows 
that  h^c)  = h1(a)/h1(b);  hence,  (cy)  = h^cjh^y).  Now  it 
is  readily  argued  that  the  set  defined  by  S = {s  e K : h^sx)  = 
h^(s)h^(x)}  is  a subfield  of  K,  and  since  S contains  c = a/b 
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it  contains  Q.  Thus  (8)  is  valid. 

It  should  be  noted  that  the  field  Q generated  by  the  quotients 
of  elements  from  A is  a subfield  of  the  field  generated  by  the 
elements  of  A.  It  should  also  be  noted  that  THEOREM  2 implies 
h2  is  uniquely  determined  by  h^.  The  next  theorem  shows  that 
any  h^  e H satisfying  (7)  and  (8)  can  be  used  to  construct  an 
h2  where  (h^l^)  e . 

THEOREM  3.  Let  A and  Q be  as  in  THEOREM  2,  let 
h^  e H satisfy  (7)  and  (8) , and  let  a be  a nonzero  entry  in  A. 

Then  the  mapping  h2  defined  by 

h 2 ( x ) = (h1 (a) )_1 (h1 (ax) 


is  in  H and  is  independent  of  the  choice  of  A. 


Proof.  Clearly  h2  e H;  thus  let  a^  be  an  arbitrary  non- 
zero entry  in  A and  put  c = a. .a  1 e Q.  Since  h, (a. .)  = 

r i]  1 ij 

hl^aija  = = h1(c)h^(a)  it  follows  that  h^ic)  = 

<hl <ai j ) <hi (a> > 1;  thus»  h^ (a^jX)  = h^ (cax)  = hj(c)h^(ax)  = 
hl  (ai  j ) (hj_  (a)  ) 1h1  (ax)  . Hence,  h2  (x)  = (h^a))  ^h.^  (ax)  = 
(h^(a^j))  '*'h1(a^_.x)  and  the  proof  is  complete. 

In  [ 1 , p. 127 , THEOREM  4.2]  the  authors  give  an  explicit 
description  of  those  functions  h e H satisfying  (7)  and  (8) 
for  a given  subfield  Q = GF(pfc)  of  K = GF(pm).  In  particular 
it  is  shown  that  h satisfies  (7)  and  (8)  iff  h has  the  form 


h (x)  = l o (ai  ) w. 
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where  d = [K:Q]  = m/t , d ,w. ,w. , . . . ,w.  is  an  arbitrary  ordered 

1 2 d 

basis  for  K over  Q,  and  a^,...,a^  c q are  the  coordinates  of  x 
with  respect  to  a fixed  ordered  basis  ( 1 , v2 , . . . , v^ > of  K over 
Q.  Moreover,  the  number  of  such  h functions  is  shown  to  be 

d 

(10)  N.  (m , t ) = t II  (pm-plt:)  . 

1 i=l 

Putting  all  of  these  ingredients  together  it  is  now  clear 
how  to  find  for  a given  nonmonomial  matrix  A all  (g^,g2)  pairs 
such  that  g^Ag^  is  linear.  This  procedure  is  summarized  below 
after  we  indicate  how  to  proceed  in  case  A is  monomial. 

THEOREM  4.  Let  A £ M and  let  R denote  the  subgroup  of  K* 
generated  by  all  quotients  of  the  nonzero  entries  of  A.  Then 
(h^,h2)  e H * H ij^  in_  iff  for  all  xeK,  ceRand  nonzero 
entries  a of^  A we  have 

(11)  h^  (cx)  = h^(c)h^(x) 

(12)  h^(ax)  = h1<a)h2(x). 

THEOREM  5.  Let  A and  R be  as  in  THEOREM  4,  let  h1  satisfy 
(11) , and  let  a be  a nonzero  entry  in  A.  Then  the  map  h2  de- 
f ined  by 


h2 (x)  = hj (ax) /h^ (a) 

is  in  H and  is  independent  of  the  choice  of  a. 
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The  proofs  here  are  similar  to  those  above  and  will  be 
omitted.  Note  again  that  (12)  implies  h^  is  uniquely  determined 
by  h^.  The  functions  h^  e G satisfying  (11)  have  been  described 
in  [ 1 ,p. 131 , THEOREM  5.2].  The  number  of  such  functions  is 
shown  to  be 


(13)  N2 (m, r)  = (e-1) ! re  1^(r) 

where  r = ;r|  and  e = (pm-l)/r,  and  (j>  is  the  Euler  4>— f unction . 

A procedure  for  finding  those  ( 8^  , P2  , B)  triples  equivalent  to 
a given  (a^,a2,A)  as  well  as  a procedure  for  finding  and 
given  A is  described  as  follows: 

1.  If  A / M (respectively  A e M)  determine  the  subfield 
Q = GF^*1)  of  K (subgroup  R of  K*)  generated  by  the  set  of 
quotients  of  nonzero  elements  of  A. 

2.  Determine  the  mappings  h^  satisfying  (7)  and  (8) 
(respectively  (11)).  The  number  of  such  mappings  is  given  by 
(10)  (respectively  (13)). 

3.  Pick  an  arbitrary  nonzero  entry  a in  A and  for  each 
h^  found  in  step  2 determine  h2  by  h2 (x)  = h^ (ax) /hj (a) . The 
pairs  thus  obtained  are  the  members  of  . Hero  hjAh”1  = hj(A), 
and  | Ha  | = Nj.(m,t)  (respectively,  N2(m,r),  r = |R|). 

4.  Construct  the  set  by  obtaining  for  each  (h^h^  pair 
the  corresponding  (g^g^  pairs  described  in  THEOREM  1.  Here 
giAg21  = m21m1h1(A)  where  = g^l)  - gx  ( 0 ) , m2  = g2(l)  - g2<0). 
The  number  of  such  pairs  is  given  by  COROLLARY  1.1  together  with 
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the  above  formula  for  |H„|. 

1 A 1 

5.  For  each  (g^g^  t,  determine  by  6 = 

9lal»  ^2  = ^ 2fI2 ' B = m2  ml^l  * The  number  of  such  triples 

is  I G. I . 

1 A 1 

Using  techniques  similar  to  those  in  [2]  one  can  now  find 
the  number  of  equivalence  classes  of  the  relation  but  this  will 
not  be  developed  here. 
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Let  K = GF (q)  denote  the  finite  field  of  order  q,  let  G denote  the  group  of 
one-to-one  maps  (permutations)  of  K onto  K,  and  let  GL(nrK)  denote  the  group  of  n * n 
invertible  matrices  over  K.  Each  triple  (a^,a^iA)  c G*GxGL(n,K)  determines  a permu- 
tation of  the  vector  space  Kn , of  n * 1 matrices  over  K as  follows:  T1  ( X ) = rx  ^Aa.(X) 

/ x Z 

n i 

X C K , where  a.  acts  on  X componentwise  and  A acts  on  X via  matrix  multiplication. 

1 e • 

Two  triples  (a  ,a  ,A)  and  (6. are  called  equivalent  iff  they  determine  the  same 
^ ^ * * ..  sV'*  0 „ A 

permutation  II.  This  paper  determines  for  a given  those  equivalent 

It  turns  out  that  this  problem  is  equivalent  to  the  following  one.  Given  A t GL(n,K) 

find  all  g^.g^  e G s110*1  that  the  mapping  g^Ag^  * is  a linear  transformation  on  Kn. 

The  solution  to  this  latter  problem  is  seen  to  depend  on  whether  A has  all  row  sums 
equal  and  whether  or  not  A is  a monomial  matrix.  Moreover,  if  g is  the  set  of  all 
quotients  of  the  nonzero  entries  of  A then  the  role  A plays  in  the  solution  is  a 
function  of  either  the  subfield  of  K or  the  subgroup  of  K*  = K - {0}  generated  by  g. 

The  equivalence  relation  defined  above  has  its  roots  in  algebraic  cryptography 
where  it  arises  from  a question . about  eqivalent  cryptosystems  based  on  Hill's  method 
of  matrix  multiplication. 
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